Townsend Security Data Privacy Blog

Kristie Edwards

Recent Posts

… What are people so afraid of?

In motivational bestsellers, Who Moved My Cheese by Spencer Johnson and Sheryl Sandberg's new book Lean In, the question has been posed "What would you do if you weren’t afraid?” From that question has come thousands of YouTube video responses, even more posts on social media outlets, and years worth of facilitated group meetings. So I thought of my own question; “what could we do if we weren’t afraid of technology?”

Even today, in 2013, there is resistance to moving forward with new cloud technology. I have talked with many prospects about how they currently manage their virtual customer data and most of the time it ends with “well we don’t”.

We recently released a VMware version of our Alliance Key Manager. Alliance Key Manager for VMware allows enterprises to deploy virtualized encryption and key management servers in IT data centers, as well as the cloud.

So now we ponder “why are people afraid of this technology, and what could we help them accomplish if that fear was gone?”

Here at Townsend Security, we can see how some of our prospects and even customers are afraid of these advancements in technology. How in the world is this piece of software going to protect our business and our customer information? Isn’t it easier to reach over to your desk drawer, and pull out that sticky note with your passwords? Or to walk over to the server and manage your system internally? I mean, how do we really know things are going to be safe “out there”?

Well, we’ve got answers to those questions. Advanced technology. Product testing. Accountability. Solid reputation. Trusted products. Dependable support. Testing, testing, and more testing. These are just a few ways to describe Townsend Security’s solution to a virtualized encryption key manager.

As enterprises adopt public and private cloud storage, they bring their sensitive data with them – customer names, email addresses and other personally identifiable information (PII). While compliance regulations require protecting this information, encrypting this data has been a challenge for organizations who want the flexibility and security of a native VMware solution. By deploying Alliance Key Manager for VMware as a vCloud instance, customers can achieve their security and efficiency goals in a cloud environment.

We wouldn’t have advanced this far in technology, if we were all afraid to move forward. Our development team has worked long and hard to make sure your fears will be a thing of the past.

How organizations can use virtualized servers in their data centers and the cloud

Special compliance considerations for enterprises who virtualize their infrastructure

What Townsend Security is doing to help organizations deploy virtualized encryption key management

After the podcast you can request a product evaluation of our Encryption Key Manager VMWare solution for 30 days and test it out. We offer complimentary 30-day trials of all our solutions, and have a great team of people to walk you through the process… so you have nothing left to fear.

Nearly every week I get asked the same question about IBM i (AS/400) upgrades by our current Alliance AES/400 and Alliance FTP customers who are in the process of updating their operating system:

Q: “I am running Alliance FTP Manager with Commercial PGP. Do I need to upgrade this to your latest version before I upgrade my IBM i to V7R1?”

A: Always upgrade the software you are currently running to the latest version first, then upgrade your operating system second. IBM made changes in V6R1 and V7R1 and we have builds specific to these Operating Systems. If you upgrade your software first to the most recent release, you will avoid larger issues around transferring your data when you upgrade to one of the newer IBM i versions.

Another related question I’m often asked is:

Q: “Should we do a system backup before a major OS update?”

A: Yes, you should always do a full system backup before making changes to your system. System upgrades and other changes to your OS are often a challenge and can result in data loss, system crashes, and other major issues if you’re not careful. You never know what could happen, and you don’t want to be left piecing your system back together while your customers are waiting. Because it’s such a critical component we always remind our customers to backup their current application library. If something does go wrong during the upgrade, you’ll want the option to revert to the backup.

To help with these sorts of issues we provide a customer service portal with an extensive list of solutions and frequently asked questions. 24/7 support is often an important need for many customers upgrading their IBM i or other operating system, and we provide that as well. We know that planning a move like this takes lots of time and if we can help, we are happy to assist.

Here at Townsend Security we’re always engaging with businesses and organizations who not only need to meet data security compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC, but are also deeply concerned about their customers’ data and the protection of their own company’s brand in the event of a data loss. Compliance is often the main driver of encryption and encryption key management, but these days the fear of a data breach weighs heavy on my peoples’ minds.

I recently spoke with a prospect who downloaded our AES Encryption Standards White Paper, and then decided to contact us. He was eager to find out about pricing and how AES encryption could work with his company. He told me about their need for encryption: he is very concerned about meeting HIPAA/HITECH and SOX Acts (both recommend if not require encryption and key management), and he knows his company’s data is unprotected in many critical areas. As he put it, they’re just waiting for something bad to happen. Although they are already encrypting much of their sensitive data (a great first step), they have outgrown their current encryption solution, need to encrypt more data, and are still out of compliance.

He said to me point blank, “We are sitting here with our pants down, waiting to be exposed!”

I asked the prospect, “Well let me ask you an easy first question to make sure our NIST Certified AES Encryption fits you and your company’s needs. What system are you currently running on?”

His reply: IBM i, Power 7.

I told him: WE CAN DO THAT!!

Townsend Security has a deep history with IBM i. We have been working with IBM i systems for over 20 years. With the new FIELDPROC capabilities in IBM i V7R1, our AES encryption solution installs into an IBM i customer’s environment, provides both our optimized and certified AES encryption libraries, and the encryption key management you need to be compliant. IBM has done the hard work of making this capability available, and we do the work of snapping in proper encryption and key management.

Later in our conversation, we discussed risk management, cost and what would happen to the company if they were exposed. He told his boss that they were subject to fines and damage to their company brand and would spend time remediating the breach instead of growing the business. Protecting the company’s sensitive data not only protects the business as a whole, it also protects your customers who rely on and trust your company to protect their personal information.

To learn more about Townsend Security’s easy and automatic encryption and key management solutions for IBM i contact us day at 1-800-357-1019. Or if you’re not into picking up that heavy phone, contact Kristie Edwards (kristie.edwards@townsendsecurity.com) today, and we’ll make sure we do the heavy lifting on our end. You might also enjoy watching a recording of our recent webinar, "Top 3 IBM i Security Tips,” presented by data security experts Patrick Townsend and Patrick Botz.

I went to my first ever kickboxing class the other night, and it kicked my butt, LITERALLY. I thought that because I work out on a daily basis and recently ran a 10K, that a 1-hour kickboxing class would be a nice cardio day for me. Boy was I wrong.

I can imagine that PCI audits can be like this for others, maybe even you. You think you have nothing to worry about (after all, you have been investing heavily for this day) and then WHAM, your auditor/kickboxing instructor knocks you down flat!

We hear this from companies as they go through their audits: “We thought we were doing everything correct. All our cardholder data was encrypted!”

What these companies fail to realize, and what the auditor will quickly point out, is that proper encryption requires encryption key management!

“But wait, we are a level two merchant and you want us to do what? Manage our encryption keys? Since when do you have to manage your encryption keys separate from your appliance? Doesn’t IBM offer a key store on your IBM i (AS/400, iSeries)?" I was shocked the exact same way when my instructor said, “We’re going to do 2 punches, 1 hook, and a roundhouse kick to the bag, and you need to repeat this for the next 2 minutes!” Are you kidding me?

Townsend Security works with you to meet PCI audit requirements. We assist organizations both large and small obtain compliance in sections 3 & 4 with our AES encryption and encryption key management solutions. We also address issues of section 10 by providing customers our Alliance LogAgent, the system logging solution for the IBM i.

Passing an audit, like kickboxing, is a lot of work and not something you can just wake up and do well. They both take an investment of time and resources - and at the end of the day, you will be stronger and able to defend yourself.

If it weren’t for the great support and expertise of my teachers, I would not have survived my first class. Cheers to them and cheers to Townsend Security helping companies of all sizes meet their PCI audits.

For more information on passing your PCI audit, download our white paper “Meeting the Challenges of PCI Compliance” and learn what will your auditor look for, how you can ensure your PII is secure, and why auditors are looking specifically at encryption key management.

One of our customers recently submitted a support ticket related to a question asked by their QSA Auditor. Just a quick background on our customer - they have an all IBM i environment and are using AES/400, our NIST-certified AES encryption among other data privacy solutions we offer. This customer needs to comply with PCI because they are accepting credit cards and store personally identifiable information (PII). The question was: How does your AES encryption software prevent unauthorized substitution of cryptographic keys?

At Townsend Security we stress the need for encryption any time you have sensitive data, but that is only half of the battle. You also need to protect the encryption key with a key manager. Did the question about substitution of cryptographic keys surprise us? No, it didn’t. This is a great example of what is happening out in the business world.

If your encryption is weak (did you know there is weak encryption?), this is a legitimate concern. There is a “key store” on the IBM i that stores encryption keys, but it’s like putting your house key underneath the welcome mat to your front door.

If you are using our Alliance Key Manager (our encryption key management HSM), we use NIST FIPS 140-2 best practices for detecting key substitution or key corruption. This involves the use of an HMAC mechanism with each key stored in the key management appliance.

What kind of questions are your QSA Auditor’s asking? We would love to hear from you, whether you are a current customer of ours or not. If you are interested in hearing more download our podcast on compliance and encryption key management.

At Townsend Security we get all kinds of questions about PCI Compliance. A question we get asked frequently by healthcare professionals is:

As a medical healthcare provider, we accept payments via check or credit card through Point of Sale devices implemented by a third-party vendor. Are we responsible to comply with PCI DSS requirements?

Many people assume that if they use a third-party vendor, the vendor must be the one to comply with PCI DSS. Our CEO Patrick Townsend, has a different take on this subject. I asked Patrick if he could answer some of the common questions asked by healthcare providers concerned about PCI DSS compliance requirements.

Are we (healthcare providers) responsible for complying with PCI DSS?

Yes, every Merchant is responsible for PCI DSS compliance even if using an outsourced service. However, this type of arrangement can greatly reduce the amount of work that the Merchant has to do. Usually you will only need to complete and sign a Self Assessment Questionnaire (SAQ). You would get this from your outsourced authorization provider.

Okay, but if we do need to be concerned with PCI compliance, how is the PCI DSS processed managed? Does the IT team tackle this? Our compliance team?

Typically the IT department takes the lead on coordinating any work that has to be done for PCI DSS. This might include things such as a vulnerability scan by an approved scan provider and similar types of tasks. An officer or director then reviews and signs the SAQ and letter. In medical organizations the Compliance Officer is typically more involved with various medical industry compliance requirements related to HIPAA and so forth and usually not involved with PCI DSS. But it never hurts to ask.

What about banks that process our clients’ credit card information? What kind of reporting should we be getting from our bank confirming that they are compliant or following PCI DSS compliance?

Banks are under a different type of compliance requirement for PCI. You should just ask them for a letter assuring you that they meet all PCI data security requirements as an authorization provider.

Sometimes PCI compliance can be confusing. Hopefully, thanks to Patrick, you may now have a better understanding of PCI compliance and how you can outsource credit card information while remaining PCI DSS compliant. If you have questions about PCI compliance, send me an email at kristie.edwards@townsendsecurity.

If you're struggling to understand encryption key management, trust me, you're not alone. If you are just beginning your research, here is the first step to lead you in the direction of a comprehensive key management plan that meets all data security compliance regulations.

Storing your encryption keys on the same device as your encrypted data is like taping your house key to the front of your door. It’s just a bad idea! Plain and simple. Whether you’re a DBA, IT Admin, or Auditor, PCI DSS section 3 addresses encryption keys and states that keys should be managed with Dual Control and Separation of Duties. This means the keys must be stored on a separate system designed to manage the keys.

This means using multiple people to manage parts of the keys so that no one person has entire control of the keys. PCI DSS section 3 also speaks directly to this protocol. Without separation of duties and dual control, storing your keys on a separate device isn’t much better than “hiding” your key under the welcome mat.

The other day I spoke with a prospect in the healthcare industry who believed the tools he had in place for key management were sufficient, until he found out they were not. This prospect was using Software as a Service (SaaS) to manage their encryption keys. While using SaaS is a great replacement for some aspects of our work lives, it will not work for key management if you’re managing your keys on same server as you store your encrypted data.

In the healthcare industry, the HIPAA HITECH act states simply, “… covered entities and business associates should keep encryption keys on a separate device from the data that they encrypt or decrypt”.

There are some people out there still storing their keys on their database server, thinking that they are meeting compliance regulations. What they don’t realize is that they are not PCI DSS compliant and will likely fail a security audit if they are audited. My last word is this: When it comes to regulations like PCI, HIPAA/HITECH, or state privacy laws, you must physically separate encryption keys from the data they protect.

PCI DSS. HIPAA/HITECH. State Privacy Laws. What do all these compliance regulations have in common? They require you to be collecting and monitoring your system logs. To give an example of how logging works, if someone tries to sign into an IBM i (or any server) and for whatever reason and the username or password is invalid, that event is logged in the system log. Why is this important? Because if you were to look at this system log in real-time and notice several invalid username and password events, you would say “Hey, our system is being attacked. We need to take action on this now.”

Unfortunately, compliance regulations sometimes aren’t enough of a reason for a company to do everything that they should to protect your sensitive data. Many times there just isn’t a budget for additional technology or when management does spend money, they want to see a return on their investment (ROI). Luckily, there is a clear ROI when you invest in a system logging solution. Here are three things to help you make your case to management on why you need to purchase a system logging solution:

1) Save TimeSystem logging can make life easier for the IT department, giving them back time to work on other projects. Recently we had a customer purchase Alliance LogAgent, our IBM i (AS/400) system logging solution, and was sending system logs to his SIEM console within an hour of getting started.

2) Save MoneyEveryone wants to save money, right? Sure, it might be possible to write your own logging application (not an easy feat on the IBM i), but why waste a developers valuable time? Alliance LogAgent is a low-cost solution that is trusted by companies worldwide.

3) Solve Business ProblemsSystem logging will solve business problems. An audit can be a problem and we see companies getting dinged on logging all the time. Not knowing who is logged into your system is a problem that auditors will not overlook. The sooner you can get through an audit, the sooner you can be back to focusing on business.

Listen to our podcast “System Logging on the IBM i” for more information on logging, how it can help you meet compliance requirements, what to look for in a logging solution, and how Townsend Security can help you transmit the logs from your IBM i to any SIEM console.

I recently had a conversation with one of our customers about the automatic encryption webinar they attended. The webinar demonstrated how companies can implement AES encryption on their AS/400 without making application changes. This customer currently has our managed file transfer solution, FTP Manager with PGP encryption, and was confused as to why they would need AES encryption if they were using PGP. I explained that PGP encryption protects data in motion - when it is transferred outside his company. If he was storing data on his AS/400, he would need AES encryption to protect his data at rest.

AES EncryptionAES encryption is the standard when it comes to encrypting data in a database. Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies. AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations. AES encryption uses an encryption key to encrypt the data. Typically, this key is stored on the AS/400 and used when the data needs to be decrypted. To side track here a little, this is not a good idea. Leaving your encrypted data and keys in the same place is like leaving the key to your house under your door mat. If you want to learn more about why this is a bad idea, take a look at this blog article on the topic.

PGP EncryptionPGP encryption is the standard when it comes to encrypting files that need to be transferred. Pretty Good Privacy (PGP) is the standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Also know that when encrypting a file with PGP, you may be using AES encryption.

AES encryption and PGP encryption solutions work together to ensure that all your sensitive data is secure. AES will protect data at rest within your organization and PGP encryption keeps it secure when it is sent outside your company.

Recently, Townsend Security hosted a donation drive for the YWCA’s “The Other Bank”. The Other Bank provides items to low income families in Thurston County, where Townsend Security is headquartered. They collect a variety of things to help families in need - for example; diapers, toilet paper, dish soap, deodorant, etc. From the The Other Bank’s website:

THE OTHER BANK offers assistance to over 100 families each week, representing 350-450 individuals; one-third of whom are younger than thirteen and half of those are under the age of 5. We also provide supplies to clients who are disabled, elderly, or otherwise housebound, averaging approximately 10-20 individuals monthly with the aid of their caregivers or chore workers. The average income for a family of four who use THE OTHER BANK is $650 a month. Family circumstances vary; there are families who are homeless, receiving unemployment benefits, and others who are working minimum wage jobs. All are struggling to make ends meet and would have to go without the items we distribute if we did not have them available.

At Townsend Security we wanted to give back to our community during this holiday season and when I learned about this organization, I knew that everyone in the office would want to help. I asked the The Other Bank what was most needed and decided that the best way to help was to conduct a hygiene drive. Our team rose to the occasion and helped to donate nearly $600.00 worth of hygiene products. This is our first annual donation drive and we are hoping to do more next year.

Without organizations like The Other Bank, there are a lot of people that would go without. In an earlier blog post this year, I mentioned how great it is to work at a company where the community is so important. It is great to work at a company that not only says they want to make their community better - they actually do it and encourage all of its employees to do the same. Working at Townsend Security has inspired me to be a volunteer at the YWCA and I have put in over 20 hours these past few weeks.

How have you paid it forward this year? Please share your stories to help inspire new ideas.